I have come up with a problem in my development and I have searched for correct solutions but have not found any.
I am developing an application which lets users login with username and password. After making a login, the username is saved in SharedPreferences to retrieve it later if the user does any operation, such as uploading a file to a server. However, storing username in SharedPreferences is still reachable and editeable by root users, which can cause a user to change their username to someone else's and do operations such as uploading files using that specific username.
So my question is, is there any secure way to identify if the user uploading a file to the server with that username is legit? I can not save both username and password inside the app and sending it to the server upon operation to check if the user is legit or not, due to risks that migh occur upon saving password in the app.

1 Answer
1

A mobile app is not fundamentally different from a web app with regards to security: the server can't trust anything that the client is sending. The server must validate the authorization of every request it receives. In particular, you must authorize users, not devices.

You are right that sending the password each time might be problematic. Instead, use a short-lived authentication token (like a cookie with web apps) that is cryptographically signed by the server. The token is issued by the server upon log in with username/password. This token includes protected information like the username. The client sends the token as authentication with later requests. The server then checks the signature of the token to see whether the token is valid. Compare also JWT for an existing scheme – DO NOT invent your own. When implemented correctly, the information in a token cannot be edited by the client.

Storing the token in the app is safer than storing a plaintext password, but it's still sensitive information. In some cases, it might be desirable to limit the validity of the token to some time span until new authentication is required. You may also want to re-authenticate for privileged operations. But most apps really aren't that important and should allow tokens with long durations.

Is a rooted phone a threat? The security of the client should not affect the security of the server, hence such schemes like server-signed tokens. In general, the person who has rooted a phone and the person who holds a user account of the service are the same person. You cannot defend someone against themselves, therefore it is not reasonable or possible to prevent extractions of keys, password, or tokens from your app.

The primary threat w.r.t. rooted phones is malware that the user has (unknowingly) installed or that the device manufacturer has preinstalled. You cannot reasonably defend against that, though some security-sensitive apps look for signs of rooting and refuse to run on rooted devices.